Do you have any tips for helping the business understand when data becomes more of a liability than an asset of real value? Is the current regulatory landscape making this harder or easier to determine, from your experience?

Risk ManagementInternal CXO Relationships
450 viewscircle icon4 Comments
Sort by:
Chief Risk Officer10 months ago

Businesses need to recognize that data can quickly become a liability when it’s outdated or improperly managed. Clear communication about the risks—like compliance costs and potential breaches—can help. Interestingly, the current regulatory landscape is pushing us to reevaluate data value, making it easier to identify when it becomes more of a burden than a benefit.

Lightbulb on3
Director of IT10 months ago

Yes, I think you have to express in numbers how much is the cost of having that data. I believe is a good parameter that allows the business a better understanding of the situation. Here at the SBS, we have some regulatory that indicates us how long we must have the data. After that period, is a decision of the business if we want to maintain that data longer.

CISO/CPO & Adjunct Law Professor in Finance (non-banking)10 months ago

If there isn't a business reason to retain certain data, it should not be kept, as it then becomes a liability. This isn't just a broad liability but also an expensive one. Some AI projects can be funded simply by identifying and eliminating old or stale data. The current regulatory landscape mandates that businesses know what data they possess and comply with relevant regulations. These rules vary depending on the jurisdictions in which the business operates, which means compliance and privacy officers are crucial in managing this aspect.

CISO10 months ago

Sometimes, contractual requirements may necessitate retaining data for longer periods. Reflecting on my experience at Experian, where we faced numerous lawsuits and class actions, we had a forensic team dedicated solely to discovery responses. The data we retained never served to protect the company; instead, it often resulted in harm. Therefore, it is beneficial to delete data as soon as possible, as this reduces liability and shrinks the attack surface, making it harder for data to be stolen. However, it is essential to understand the relevant regulations and contractual obligations. This understanding will guide the development of retention schedules, which should be consistently applied across the organization. In one instance, inconsistency in data retention practices among business units led to legal complications. Maintaining consistency in data retention policies is crucial.

Content you might like

Does your organisation have a formalised threat hunting programme? If so - what were the key drivers for you in setting one up and what made it successful?

If not - what is stopping you from setting this up?

Has your company made you feel comfortable about the prospect of returning to the office?

Yes - My company has been clear with the back to office plan82%

No - Messaging around return to the office has been confusing and disjointed17%

Do you track access removal time for terminated employees as one of your cyber metrics?

Yes - for all employees48%

Yes - for certain employees44%

No8%

Unsure

View Results

What sorts of failsafe processes/controls, etc, do you rely on to make sure terminated or suspended employees’ access credentials are revoked immediately? Does your org generally rely on direct communications from HR or do you have an HRM or similar system to automate this?

Read More Comments

How are you socializing quantum-safe cryptography with your organization's leadership team? What’s your approach to the messaging around that given the complexity?

Read More Comments